Among a row of business offices in Sunninghill, Sandton, sits an unnamed, unnumbered three-storey building. It seems out of place: against the backdrop of tall trees and built in a style resembling early 1900s architecture, it could be on a European university campus.
But the peaceful premises on a hectare of land are protected by electric fencing and security cameras and houses what could be described as a formidable crime-fighting unit: this is 25 Tambach Road, home to the Office of Interception Centres (OIC).
The OIC controls powerful equipment that enables branches of the government’s State Security Agency (SSA) to monitor the telecommunications of individuals suspected of criminal or terror activities – tele-communications that include landline calls, faxes, cellular calls, SMSes and MMSes, internet activity, social network usage, emails and messenger services such as WhatsApp and Skype. The centre can also monitor metadata – call-related information such as the time of calls, the numbers called and the caller’s location.
The OIC can do all this – if it has legal permission to do so.
But a two-month investigation by the Mail & Guardian has uncovered that the OIC may possess the capacity to intercept communications illegally.
Ten well-connected sources, including former intelligence agents and countersurveillance professionals with ties to the intelligence community, supplied information for the investigation. To protect them, they have not been named. Four of them confirmed that the OIC is able to intercept communications without the knowledge of the service providers or courts.
Transmission control: The Office of Interception Centres is linked by fibre optic cable to the telecom service providers. (Madelene Cronje)
Connected to the OIC by fibre-optic cables are the networks of telecommunications service providers such as MTN, Vodacom, Cell C and Telkom. These cables can convey all communications – those of people who may, or may not, be involved in nefarious activities, to the OIC.
Law enforcement agencies, including the police’s crime intelligence services, the military intelligence services and the domestic and foreign branches of the State Security Agency (formerly the National Intelligence Agency and the South African Secret Service, respectively), are said to occupy space at the OIC.
The interception of telecommunications by the OIC is regulated by the Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002 (Rica).
Before interception, law enforcement agencies need permission from a designated judge (usually retired), who is commonly referred to as the Rica judge. Currently, this is Judge Yvonne Mokgoro, who operates from an office in Pretoria and is supported by designated staff.
The officials must submit a written application to the judge and provide convincing evidence of criminal or terrorist activities. They must also prove that interception is absolutely necessary to meet the ends of justice.
The judge reviews the application and, if satisfied, grants permission with what is known as an interception direction. Service providers may only allow access to subscriber communications if law enforcement officials present them with this.
For the average citizen, these legal processes happen in the opaque world of the intelligence services: whether you are guilty or innocent, you will not know whether your communications are (or were ever) intercepted. Rica does not permit you to know this, and technology does not reveal it – there is no crackle on the line as was the case in the old days under apartheid.
And, although Rica requires service providers to be made aware of it, they may be as clueless as you are about the ultimate destination of your private communications.
Two of the four sources offered detailed explanations about how the OIC can intercept communications without the knowledge of service providers or the Rica judge.
According to one of them, the OIC has the technology to intercept your communications at the touch of a button. “Your service provider won’t know if you are being tapped or intercepted. And they just literally (like you see on TV), once they have got the information on you on their computers, they just tap in – okay, it’s 083?123?4567 – and bang!, they’re on your phone. They can hear the calls, record the calls, they can see your WhatsApps, they can see your Skype messages.”
This technology exists, but the M&G does not know whether the State Security Agency or any service providers have the equipment.
A former intelligence official, who said he had first-hand experience of it, including being a witness to illegal interception at the OIC, provided another explanation of how the OIC could secretly access communications.
“They basically hack into the cellphone number without anyone knowing. Only when the service provider has a court order, that is when they will know about it.
“But if they do these skelm things, they never let the service provider know. And they can listen to it in real time, and, if they do, it is automatically recorded.”
But Vodacom’s chief risk officer, Johan van Graan, who is tasked with protecting subscriber privacy, makes a strong case to counter these allegations. He and a designated staff of 14 work closely with the law enforcement agencies and the OIC in their investigations. According to him, the OIC does not possess the capability to access subscriber communications without the assistance of the service provider.
This is because of the nature of what is known as the handover interface – the key to interception on large telecommunications networks. It is connected to both the service provider network and the equipment at the OIC. Comprised of hardware and software, and usually situated in the service provider’s mobile switching centre (see graphic), the device enables the service provider to send, or “hand over” (hence the name), a copy of your communications to the OIC electronically.
Van Graan says, with the technology used in South Africa, personnel in the OIC cannot access the handover interface remotely – only the service provider is able to program the interface to deliver communications to the OIC. In addition, only a handful of dedicated service provider staff, who have to receive clearance from the State Security Agency, can program the handover interface and physically access it.
The department of justice and constitutional development says the service provider must route the intercepted communications to the interception centre, where law enforcement agencies can access it. In addition, law enforcement agencies have to follow strict procedures to ensure their Rica applications are legitimate. For example, only some high-ranking officers in the law enforcement agencies can apply for interception directions.
The department says no cases of the abuse of the Rica interception process has been brought to its attention.
What is more, says Van Graan, it is almost impossible to hack into the handover interface.
An independent contractor in the cybersecurity industry, who chose to remain anonymous, confirmed that the handover interface is very secure and cannot be easily hacked. “It utilises ghost IP addresses and cannot just be penetrated. The actual hardware is strictly controlled by authorised senior personnel who are vetted.”
Whatever the case, not all information of interest to law enforcement agencies necessarily passes through the secure interface, and there are other perhaps more vulnerable channels through which information travels.
Metadata includes call records – the time of a call, its duration and the phone numbers involved. It also includes the geographical location of the caller and the receiver at the time of the call.? Law enforcement agencies can use metadata to piece together suspects’ activities by tracking their movements and mapping their associations, and is often used in emergency situations when a criminal or missing person must be found quickly. If it is a matter of life and limb, law enforcement agents can request metadata from service providers and provide them with a court order post facto.
Metadata does not have to be acquired through the handover interface. It is common practice for service providers to give call records, printed on paper, to law enforcement officials.
To obtain these records, officials must apply to a high court judge, a regional court magistrate or a magistrate for a court order. Again, law enforcement officials must prove that the intrusion into a person’s privacy is absolutely necessary to meet the ends of justice. This is regulated by section 205 of the Criminal Procedures Act 51 of 1977.
The M&G spoke to four sources who acknowledged that they had obtained metadata illegally. One of them, a former police officer, spoke in detail about his experiences. He says he simply approached service providers and requested information related to specific cellphone numbers relevant to his cases.
“You just had to be nice, then you could get anything. Remember, I was a detective. I only had to say I am from the police, and that I am looking for information.”
He says bribes were never necessary. “I never even gave anyone a chocolate or anything.”
But, according to Van Graan, his company keeps strict tabs on this sort of information leak, and it’s likely to be discovered by the service provider. “There is an audit trail and, if we get a complaint, that person is dismissed.”
The former police officer describes how he obtained metadata, including call records and caller location, from police crime intelligence to assist him in his pursuit of a suspect. The information was obtained without a warrant. “The incident was recorded like that in the docket, and in the court papers.”
While on the stand, the accused’s attorney asked him about the accused’s cellphone records. “I said that I got the information through a contact. The court accepted it as is.”
The suspect was convicted of the crime, and sentenced.
He says a major reason for circumventing the legal route was that the lengthy process involved in getting a court order could hamper cases. It could take as long as two to four months.
“On big cases, you couldn’t wait that long.”
But the department of justice says a judicial officer has to be satisfied that the application to obtain metadata is justified. If not, the applicant has to gather more evidence. But, the department says, “in many instances, a section 205 order is issued almost immediately”. It adds that unreasonable delays in applications should be reported to the head of office at court.
According to an expert employed by a major service provider, law enforcement agents have other ways of accessing metadata illegally. He gives an example.
“The police as an individual officer gets a court order, a section 205, for a hijacking syndicate with nine numbers that are really about the hijacking syndicate, and the tenth number is about somebody that’s in a divorce.
“Then we give the information to that policeman, he sells [it] for R20 000, and the aggrieved party in the divorce then says, ‘Let’s settle, otherwise I will request this information through legal channels’.
“We have no control over that. And, when we find it out, we hand it over to the police and they investigate it.”
The expert adds that this type of case usually returns to haunt the service provider. “The guy that now needed to pay the money comes to us and says, ‘Who has given out my data? I am going to sue you’.”
The justice department says it is unaware of any such cases. It “has not received any allegations of any call-related information which was provided to a law enforcement agency without judicial authorisation in terms of section 205 of the CPA [Criminal Procedures Act] or otherwise authorised by the Rica”.
However, there are officials who testify to following the letter of the law.
A former crime intelligence official who specialised in the analysis of intercepted communications described some of the strict legal processes involved.
She says, for example, one can obtain metadata only strictly within the timeframe specified in the court order. With intercepting communication content, such as voice calls, regulations are equally stringent. For instance, those transcribing the recorded conversations are sworn to secrecy, vetted and can face jail time if they leak information.
A member of the Hawks told the M&G that he obtained metadata through the legal route.
A former intelligence official confirmed that, “by the time that they [the Hawks] applied for the interception, they had already done their job. They already knew the person was guilty. The guy who intercepts illegally has not done his job. He is still fishing to see if the suspect is really involved.”
Cell C’s executive head of forensic services, Jacqueline Fick, says the company would assist law enforcement officials to investigate any conduct that is at odds with Rica and brought to its attention. She added that Cell C has implemented industry-standard security measures to protect the network and customer information.
The State Security Agency, the South African Police Service, MTN and Telkom did not respond to questions sent to them by the M&G.
This series of articles has been commissioned by the Media Policy and Democracy Project, a joint project of the department of journalism, film and television at the University of Johannesburg and the department of communication science at Unisa